May 26, 2005

Who's Afraid of the Big Bad Chase?

By Evan Schuman, Ziff Davis Internet

Opinion: JP Morgan Chase's contactless credit card move is scaring consumers needlessly. They should be scared, but not by Chase.

When JP Morgan Chase—the nation's largest issuer of credit cards—announced last week that it was incorporating contactless payment capabilities in all upcoming credit cards, it was a huge legitimizing moment for contactless.

It generated lots of consumer buzz for the feature that Chase calls “Blink” and it is most likely the first RFID-enabled payment device that became a punchline on Saturday Night Live. (The JP Morgan folk loved that.)

But for all of the attention, it is technologically dull. It's not a smartcard, so there's no great CRM potential.

It houses no security technology that goes beyond what many credit cards—including those from Chase—already have, and it will look and feel like today's typical credit cards, even down to the magstripe on its back.

When you cut through the hype, all you have is a card that can shave a few seconds—maybe a fraction of a minute—off of a transaction.

For a retailer who makes more money the more people he or she can push through cashier lanes, that absolutely is exciting.

Chase could have done this years ago, but it was waiting for some of the more speed-sensitive merchants—convenience stores, quick-service restaurants, drive-throughs of all types, etc.—to start taking credit cards at all.

It was just a few years since most such locations were overwhelmingly cash-dominant.

For the card to be used contactless, the customer must waive the card about two inches in front of the reader. This doesn't have the distance of an EZPass, and certainly not the range of anti-theft devices.

But the card never has to leave the hand and that's where much of the time savings come in.

Scott Rau, who is a senior VP for Chase Bank USA, estimated that a typical quickserve order—from when the order is place to when the customer is driving out the driveway—is about two and a half minutes.

With a contactless-enabled card, Rau said it should be about 20 seconds less. That adds up quickly.

But the initial contactless card will still likely live in a wallet inside a pocket, which requires time to pull out.

Mobil addressed that contactless issue a few years ago with its fob-based SpeedPass, designed to hang off of the keychain. Or EZPass, mounted to a window with a much-greater reader range.

In a few years, don't be surprised to see contactless payment rings, where groceries can be purchased with a Jedi-like wave of the hand.

But there is a more immediate Blink time savings, compared with today's regular credit cards: While some customers will still hear, "You want fries with that?" they are not going to hear, "Sign here, please" nor "type your PIN here." (Actually, they usually say "Type your PIN number here," but I've come to the conclusion they are merely trying to drive me insane. I think they only do it for editors.)

This is a classic reality versus perception issue. Consumers perceive wireless to be less secure and they see contactless as just another form of wireless.

Well, with a wireless LAN or a typical laptop at a Starbucks, they're right.

Oddly enough, those they generally assume are secure.

So back to Chase. They know that consumers are worried about identity theft and various fraud and theft efforts and that they are worried about new devices in general and wireless in particular.

Therefore, with the new device, they have eliminated the security gesture of the cards it is replacing.

No more PIN, the verifier of choice for debit cards, and no more signatures for credit cards.

Why is this perception versus reality? I'm reminded of the fraud and theft fears that dominated the consumer press about 10 years ago, when e-commerce was just starting.

Consumers would ask whether giving credit card numbers to major Web sites was safe.

The e-commerce answer back then—and it's the same contactless answer today—was "Compared with what?" Are you safe using credit cards for e-commerce? No, not really. Not at all, actually.

But, the question that was asked 10 years ago went, are you materially less safe than you are doing what you typically do?

Which is more risky? Giving your credit card number on an encrypted payment page at or handing your credit card to an anonymous 16-year-old at some gas station you pulled into at 2 a.m.?

That's the same 16-year-old, by the way, who took your credit card behind a closed door and re-emerged five minutes later.

How much security is your credit card signature truly providing you? How often do cashiers look at your signature and compare it to the one on the back of the card?

Years ago, American Express used to include scans of every receipt—with the cardmember's signature on it—with every bill issued.

They stopped because nobody bothered to look at it.

Chase's argument is that the card is safer because it doesn't leave the consumer's possession.

That's a nice, comforting answer until you realize that the thief doesn't need to have the card for more than the split second the scan needs.

As the Saturday Night Live joke went, Chase is allowing its customers to be ripped off faster and more conveniently than ever before.

The fact is that the strongest protection the cards offer today is much more effective than the highest level of encryption: a policy whereby they'll waive charges you can convince them were fraudulent.

With that security device, all you have to do is trust Chase. Uh-oh.